Configuring root login attempts for AuthFailed trigger

[ChuckS@CAM-Ohio]

Hello,

We are currently using VShell Version: 4.2.2 (build 1121) and are quite pleased with it's features and capabilities.

We currently block root login access using the configuration file directive:
DenyRoot true
We know this is working because we are seeing entries like this in the log files:
20161120 101942 VShell%20SSH2 auth 547 root 0 0 0 0 00547 Root login refused from 204.16.31.32

We want to continue blocking root logins and also:

1. Use the DenyHostAfterFailure feature to add the offending IP address to the DenyHostsFile.
2. Have root login attempts trigger the AuthFailed event.

What changes in the configuration file are required?

Thanks!
Chuck

[ekoranyi]

Hi ChuckS@CAM-Ohio,

I'm glad to hear that VShell is working well for you.

What Operating System are you running VShell on? It looks like Linux, is that the case?

Are you wanting to add only root login attempts to the Deny Hosts file or everyone over a set threshold of authentication attempts?

[ChuckS@CAM-Ohio]

Hello, ekorany.

Yes, we are on a RHEL server.

We would want everyone with failed attempts above a threshold added to the DenyHostsFile, including the root login attempts.

Chuck

[ekoranyi]

Hi ChuckS@CAM-Ohio,

To enable Deny Hosts you will want to uncomment and configure the following lines from you vshelld_config file.

DenyHostAfterFailure true
DenyHostsFile /path/to/denyhosts.txt
DenyHostAfterFailureCount 3

There will be a limitation in that using DenyRoot true blocks any attempt to use the root username before it reaches authentication. This means that attempts using root don't fail authentication because they never get the chance.

We may be able to get you the behavior you desire by setting DenyRoot false and adding root to the Deny Users list. What would you like to have happen when someone attempts to log in as root. What action would you like to trigger?

[ChuckS@CAM-Ohio]

"We may be able to get you the behavior you desire by setting DenyRoot false and adding root to the Deny Users list. What would you like to have happen when someone attempts to log in as root. What action would you like to trigger? "

We would like to:

1. Continue blocking 'root' logins, and will do so by changing the following vshelld_config settings:

   AccessControl {

   Login {

   AllowUsers{*}
   DenyUsers{ root }
   

   }
   ...
   

   }
   
   DenyRoot false
   

2. Continue having failed user login attempts, now including 'root', to generate FailedAuthCommand triggered event, by this trigger:

   #FailedAuthCommand
   FailedAuthCommand /bin/su app_user -c "/usr/local/bin/vshell-trigger FailedLogin $U $D $T $S $I"

3. Failed login attempts to automatically block IP addresses, by adding the following:

   DenyHostAfterFailure true
   DenyHostsFile /our/path/to/denyhosts.txt
   DenyHostAfterFailureCount 3
   

Will those changes work for what we need?

Thanks again!
Chuck

[ekoranyi]

Hi ChuckS@CAM-Ohio,

One issue we will run into is a failed auth trigger won't be tripped until the number of attempts exceeds what is set in the MaximumAuthenticationRetries.
If root is denied by any method the user can never get more than "1" authentication attempt.

We could set MaximumAuthenticationRetries to 1 to include root attempts but this may negatively impact legitimate users who mis-type a password.

One option may be to craft a script that on every authentication failure checks to see if the user was root, if so add that IP to the deny host file and if not do nothing. This would allow Deny Hosts to work as intended adding an IP after 3 failed authentication attempts for normal users, but adding the IP for any connection attempting to use root after the first attempt.

What does your current Failed Login script do when it's fired?

[ChuckS@CAM-Ohio]

As you may have assumed, we have one large trigger-script, vshell-trigger for this example, which uses command-line arguments to determine specific functionality. You may have also noticed our trigger script runs with the security context of a special user account, 'app_user' for this example. This way any short-comings or exploits in the trigger script are localized to that user's context. A remote process connects to this account to perform automated file transfers. Therefore the script determines which actions are taken depending on the trigger type and user class - self, for the automated process; admins, for internal staff; users, for our external business partners.

Currently the FailedAuth call only writes to an application-specific log file, which is retrieved daily. Can you show us the vshelld_config settings required to achieve the scenario you mentioned, where the threshold effectively is 1 failed attempt for root and3 (or more) for other users?

Thanks
Chuck

[ekoranyi]

Hi ChuckS@CAM-Ohio,

During my configuration testing I noticed some adverse behavior that is preventing my suggested implementation. I've asked that our QA/DEV team review the issue. I'll be sure to respond in this thread when I have additional information on how to get the behavior you are looking for.

[jdev]

Hi Chuck,

Our development team has implemented a fix for the issue that was preventing you from configuring VShell to add an IP address to your DenyHosts file after a specific number of failed authentication attempts had been made.

If you would like access to a newer version of VShell for your RHEL machine that has this fix in place, would you please send an email to support@vandyke.com with a subject of: ATTN: Jake - Forum thread #12734. In your email, please let me know the email address associated with your VanDyke Software download account so that I can make the installer available to you.

--Jake